Le 10/02/2018 à 12:33, Jacques Le Roux a écrit :
Hi,
Almost 6 years ago OFBIZ-4959 "Logout do not remove autoLogin" was created and
I closed as incomplete.
Recently while working on OFBIZ-10206 "Security issue in Token Based Authentication" which followed my work in OFBIZ-9833 "Token Based
Authentication" I needed a way to get the userLoginId (or userLogin) from the session.
But, as explained in OFBIZ-10206, at this stage it was unavailable. So I decided to go
with autoLoginCookies. I then " remembered" OFBIZ-4959.
So I'd like to commit the patch I provided at OFBIZ-4959. But before that I want to discuss about autoLoginCookies and the feature to be sure we are
all on the same field.
The auto login feature is used in ecommerce applications (ie OOTB ecommerce and ecomseo) to welcome an user when s/he gets back. It does not really
log the user in but eases the login process. From the code, the same feature exists in the webpos, I did not check.
AutoLoginCookies are also generated for all applications, but are not used for the auto login feature like in ecommerce applications. It can be
nevertheless useful as proves OFBIZ-10206 "Security issue in Token Based Authentication". But for OFBIZ-10206 and security in general it's better to
remove the autoLoginCookies of the other applications (ie no ecommerce and webpos) when the user logout. Of course if the user quits the session w/o
login out the autoLoginCookies remains so it's best to start with a clean state and remove the autoLoginCookies at start.
Without negative opinions I'll commit the OFBIZ-4959.patch in 1 week.
Jacques
Forgot to say that the autoLoginCookies have a time to live of 1 year.
Jacques
